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Abstract 

Incentives play an important role in (security and IT) risk manage- 
ment of a large-scale organization with multiple autonomous divisions. 
This paper presents an incentive mechanism design framework for risk 
management based on a game-theoretic approach. The risk manager acts 
as a mechanism designer providing rules and incentive factors such as 
assistance or subsidies to divisions or units, which are modeled as self- 
ish players of a strategic (noncooperative) game. Based on this model, 
incentive mechanisms with various objectives are developed that satisfy 
efficiency, preference-compatibility, and strategy-proofness criteria. In ad- 
dition, iterative and distributed algorithms are presented, which can be 
implemented under information limitations such as the risk manager not 
knowing the individual units' preferences. An example scenario illustrates 
the framework and results numerically. The incentive mechanism design 
approach presented is useful for not only deriving guidelines but also de- 
veloping computer-assistance systems for large-scale risk management. 

Keywords: mechanism design, risk management, incentives in orga- 
nizations 



1 Introduction 

Security risk management is a multi-disciplinary field with both technical and 
organizational dimensions. On the technical side, complex and networked 
systems play an increasingly important role in daily business processes. Hence, 
system failures and security problems have direct consequences for organizations 
both monetarily and in terms of productivity [29] . It is therefore a necessity for 
any modern organization to develop and deploy technical solutions for improving 
robustness of these complex information technology (IT) systems with respect to 
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failures (e.g. in the form of redundancies) and defending them against security 
threats (e.g. firewalls and intrusion detection/response systems). 

However, even the best and most suitable technical solution will fail to per- 
form adequately if it is not properly deployed and supported organizationally. 
In order to be successful in risk management, an organization has to have proper 
information about its business processes and complex technical systems or "ob- 
serve" them as well as be able to influence their operation or "control" them [2] . 
In a large-scale organization these two necessary requirements, which may seem 
easy to satisfy at first glance, pose significant challenges. An important reason 
behind this issue, beside organizational structure, is the underlying incentive 
mechanisms. 

Autonomous yet interdependent divisions or units of a large organization 
have often individual objectives and incentives that may not be as aligned 
in practice as the headquarters and executives wish. Each such unit may have 
a different perspective on risk management which directly affects deployment of 
technical or organizational solutions. Misaligned incentives also make observa- 
tion and control of business and technical processes difficult for risk managers. 
Considering the complex interdependencies in today's technology and business, 
such a misalignment in incentives is not a luxury even a large-scale organization 
can effort. 

Let us consider an example scenario of an enterprise deploying a new secu- 
rity risk management system that entails information collection (observation), 
risk assessment (decision making), and mitigation (control). In order for its suc- 
cessful operation, each division has to cooperate at each stage of its deployment 
and operation. At the deployment phase, the divisions have to provide accurate 
information on their business and networked systems. During the operational 
phase, each division has to allocate manpower and resources for the proper op- 
eration of the system. All these can be accomplished only if the division has 
sufficient incentives for real cooperation. Otherwise, the risk management sys- 
tem would simply fail as a result of bureaucracy, enterprise politics, and delaying 
tactics. 

Game theoretic approaches have significant potential in addressing the 
above described issues as well as in risk analysis, management, and associated 
decision making [3, 14,30] . The performance of manual and heuristic schemes de- 
grades fast as the scale and complexity of the organization increases. Computer 
assistance in observation, decision making, and control of different risk man- 
agement aspects is necessary to overcome this problem. Development of such 
computer-based support schemes, however, require quantitative representations 
and analysis. Game theoretic and analytical frameworks provide a mathematical 
abstraction which is useful for generalization of seemingly different problems, 
combining the existing ad-hoc schemes under a single umbrella, and opening 
doors to novel solutions. At the same time, such frameworks and the associ- 
ated scientific methodology leads to streamlining of risk management processes 
and possibly more transparency as a consequence of increased observability and 
control [2]. 

Mechanism design [20,23,26], which is a field of game theory, has been 
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proposed recently as a way to model, analyze, and address risk management 
problems [2]. It can be potentially useful especially in developing analytical 
frameworks for incentive mechanisms. Game theory in general provides a rich 
set of mathematical tools and models for investigating multi-person strategic 
decision making where the players (decision makers) compete for limited and 
shared resources [7,13]. Mechanism design studies ways of designing rules and 
structure of games such that their outcome achieve certain objectives. 

In the context of security risk management, the units of an organization can 
be modeled as players (independent decision makers) in a risk management 
game since they share and compete for organizational resources. Each player 
decides on the allocation of unit's resources, e.g. in terms of manpower and 
investments, to assess and mitigate perceived risks. The task of organization's 
risk manager (designer) is then influence the outcome of this game by imposing 
rules and varying its structure such that a satisfactory amount of investment 
is made by each unit. Thus, the designer tries to optimize the risk manage- 
ment process from the entire organization's perspective within given resource 
constraints, e.g. budget. 

This paper adopts a game-theoretic approach and presents a framework 
of incentive mechanism design for security risk management. The analytical 
framework studied can not only be used to derive guidelines for handling incen- 
tives in risk management but also to develop computer-assisted risk management 
systems. The main contributions of the paper include: 

• A strategic (noncooperative) game approach for analysis of incentives in 
(security and IT) risk management. 

• An analytical incentive mechanism design framework where the designer 
does not have access to utilities of individual players of the underlying 
strategic game. 

• Study of iterative incentive schemes which can be implemented under in- 
formation limitations and their convergence analysis. 

• A numerical analysis based on a scenario of a risk management system 
deployment. 

A more detailed discussion clarifying these contributions and a comparison with 
existing literature will be provided in Section 6. 

The rest of the paper is organized as follows. The next section provides an 
overview of the underlying mechanism design and game-theoretic concepts as 
well as the model adopted in this work. Section 3 presents incentive mechanism 
design for risk management. Section 4 discusses iterative incentive mechanisms 
and related distributed algorithms. An example use case scenario and related 
numerical analysis is presented in Section 5, which is followed by a brief litera- 
ture review in Section 6. The paper concludes with a discussion and concluding 
remarks in Section 7. 
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2 Game and Mechanism Model 



Consider an organization with N autonomous units, which act as independent 
decision makers, and a risk manager, which oversees the risk management task of 
the entire organization (and is often a special organizational unit itself). This 
generic organization may be a large-scale multi-national enterprise (divisions 
versus the risk manager at the headquarters), a government (government agen- 
cies versus central executives) , or even an international organization (individual 
countries versus general secretary of the organization). 

Adopting a game-theoretic approach, each autonomous unit can be modeled 
as a player of a strategic (noncooperative) game with the set of all players 
denoted as A. The player i e A independently decides on its respective decision 
variable Xi, which represents allocation of limited resources such as monetary 
investments or manpower, in accordance with own objectives. In majority of 
cases, the decisions of players affect each other due to constraints of the en- 
vironment. Thus, the players share and compete for resources as part of this 
strategic game. 

The risk manager T>, which is also called designer 1 in the context of mech- 
anism design, focuses on the aggregate outcome of the strategic game and tries 
to ensure that the game satisfies some risk management objectives, e.g. in- 
formation collection for assessment or deployment of a new risk management 
solution. Unlike the players, the designer achieves its objective only by indirect 
means such as providing additional incentives to players in the form of incentive 
factors and penalties or imposing rules. It is important to note that the risk 
manager cannot directly dictate individual actions of players, which is a realistic 
assumption that holds for many types of civilian organizations. The interaction 
between risk manager (designer) and organizational units (players) is depicted 
in Figure 1. 

The iV-player strategic game, Q is described as follows. Each player i 6 A 
has a respective scalar decision variable 2 Xi such that 

x = [ari,...,^] e X c R N , 

where X is the convex, compact, and nonempty decision space of all players. 
The players make their decisions in accordance with their preferences modeled 
as customary by real valued utility functions 

Ui(x) :X^R. 

For analytical tractability, the player utility functions are chosen as continuous, 
diffcrentiable, and strictly concave. It is important to note here that players do 
not reveal their utilities (preferences) to the designer. Application of a similar 

lr The terms risk manager and designer as well as (organizational) unit and player will be 
used interchangeably for the rest of the paper. 

2 The analysis can be easily extended to multi-dimensional case. However, since this would 
complicate the notation and readability without a significant conceptual contribution, this 
paper focuses on scalar decision variables. 
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Organization 



Figure 1: The interaction between the players (autonomous organizational 
units) of the underlying strategic game and the risk manager acting as mecha- 
nism designer, who observes players actions (investments) x and provides addi- 
tional incentives p. 

utility function approach to risk management has been discussed in detail in [14, 
Chap. 3], where the concave utilities are interpreted as "risk averse". 

While each player gains a utility from its decisions (investments), these re- 
sources also have a cost, which can be often expressed in monetary terms. We 
assume that that these costs are linear in the allocated resource, PiXi, where 
Pi is the individual per unit cost factor. Each player i aims to minimize its 
respective cost function 

Ji{x) = PiXi - Ui(x) — piXi, (1) 

where the linear term PiXi represents the incentive factor (or penalty if negative) 
provided to the player by the designer T>. Thus, player i solves the optimization 
problem 

min Ji(xi,x-i), 

by choosing an appropriate Xi given the decisions of all players denoted by X-i 
such that x g X . Formally, strategic game Q is defined as: 

Definition 1. The strategic (noncooperative) game Q is played among the set 
of selfish players, A, of cardinality N , on the convex, compact, and non-empty 
decision space X C R N , where 

• x = [xi, ■ ■ ■ , xn] £ X denotes the actions of players 

• Ui{x) : X — > R denotes the utility function of player i G A 

• Ji(x) = [3iXi — Ui(x) — PiXi denotes the cost function of player i £ A for 
given parameters bi and Pi Vi, 
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such that each player i solves its own optimization problem 



min Ji(xi,x-i) 



by choosing an appropriate Xi given the decisions of all players denoted by a;_j. 

The Nash equilibrium (NE) is a widely-accepted and useful solution con- 
cept in strategic games, where no player has an incentive to deviate from it 
while others play according to their NE strategies [31,32]. The NE is at the 
same time the intersection point of players' best responses obtained by solving 
their individual optimization problems. The NE of the game Q in Definition 1 
is formally defined as follows. 

Definition 2. The Nash equilibrium of the game Q in Definition 1, is denoted 
by the vector x* = [x\,..., x* N ] E X and defined as 



where x_ i — [a^, . . . , x i _ 1 , ^-j+ii • ■ • j x n]' 

If some special convexity and compactness conditions are imposed to the 
game Q, then it admits a unique NE solution, which simplifies mechanism and 
algorithm design significantly. We refer to the Appendix A.l as well as [1,7,33] 
for the details and an extensive analysis. 

The risk manager (designer) V devises an incentive mechanism A4, which 
can be represented by the mapping M. : X — > M. N , and implemented through 
additional incentives (e.g. subsidies) in player cost functions, PiXi, above. Using 
incentive mechanism AA, the designer aims to achieve a certain risk management 
objective, which can be maximization of aggregate player utilities (expected ag- 
gregate benefit from risk-related investments) or an independent organizational 
target that depends on participation of all players such as deployment of a new 
risk management solution. These can be modeled using a designer objective 
function V that quantifies the desirability of an outcome x from the designers 
perspective. Formally, the function V is defined as 



which it solves by choosing the vector p — [pi, . . . ,pn], i-e. providing incentive 
factors to the players. Note that the designer objective V (possibly) depends on 
player utilities U — [Ui, . . . , Un], yet the designer does not have direct knowl- 
edge on them. Furthermore, the risk manager may have only a limited budget 
B to achieve its goal that leads to the additional constraint 



x* := argmin Ji(xi, x*_^ Vi £ A, 



V{x,U{x),p) : X -> R. 



Thus, the global optimization problem of the designer is 



m&xV(x, Ui(x),p) 



N 
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Mechanism design, as a field of game theory, studies designing the rules 
and structure of games such that their outcome achieve certain objectives [11, 
20,23,26]. Two criteria a mechanism has to satisfy has already been described 
above. The player objective of minimizing own cost can also be called as 
preference-compatibility. Likewise, the designer objectives of maximizing V or 
achieving a global goal can be interpreted as an efficiency criterion. The third 
criterion arises from the fact that the interaction between the designer and 
players of the game (Figure 1) may motivate the players to misrepresent their 
utilities to the designer. They can benefit from misrepresenting their utilities 
(exaggerating or diminishing the actual benefits of their investments) to receive 
higher incentives. Therefore, mechanism design has a third objective called in- 
terchangeably strategy-proofness, truth dominance, or incentive-compatibility in 
addition to the objectives of efficiency and preference-compatibility. All these 
three criteria are summarized in the following table: 



Tabic 1: Three Criteria of Mechanism Design 



Criterion 


Formulation in the Model 


Efficiency 


Designer objective 


Preference- 
compatibility 


Players minimizing own costs 
(NE as operating point) 


Strategy-Proofncss 


No player gains from cheating 



2.1 Assumptions 

Taking into account the breadth of the field mechanism design, it is useful to 
clarify the underlying assumptions of the model studied in this section. The 
environment where the players and designer interact is characterized by the 
following properties: 

• The players and designer operate with limited resources, e.g. under budget 
and manpower constraints. 

• The organizational structure imposes restrictions on available information 
to players and communication between them. 

• The designer has no information on the preferences of individual players, 
but observes their actions and final costs. 

The players share and compete for limited resources in the given environment 
under its information and communication constraints. The following assump- 
tions are made on the designer and players: 

• The designer is honest, i.e. does not try to deceive players. 

• Each player acts alone and rationally according to own self interests. 
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• The players may try to deceive the designer by hiding or misrepresenting 
their own preferences. 

• All players follow the rules of the mechanism imposed by the designer. 

Implications of these assumptions and limitations of the presented model 
will be further discussed in Section 6. 



3 Incentive Mechanism Design 

This section presents two specific incentive mechanisms for risk management 
based on the model of the previous section. In the first mechanism, A4i, the 
risk manager (designer) aims to maximize the aggregate benefit from security 
investments of units, which is the sum of player utilities. This objective is some- 
times also called as "social welfare maximization". The second mechanism, Ai-2 
represents a scenario in which the risk manager aims to align efforts of all units 
for deployment and operation of an organization-wide risk management solu- 
tion. Both mechanisms (their iterative variants) satisfy the criteria in Table 2 
under specific conditions. The interaction between the designer and players is 
visualized in Figure 2. 



Objective, V 



y 



Risk Mgr. 
Designer 

V 



Subsidies p 
> 



Units / Players 

A = {ai,...,a N } 



y 



Observations 



X 



X Investments 



Figure 2: Interaction between risk manager (designer) and organizational units 
(players) as part of incentive mechanism design. 



3.1 Welfare maximizing mechanism 

The optimization problem min^ Ji{x) of player i is a convex one and admits 
the unique solution 

, fdUi{xy- 1 



V dxi 



{Pi 



under the strict concavity and continuous differentiability assumptions on Ui [8]. 
Any such solution x* that solves all player optimization problems is by definition 
preference-compatible. 
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It is important to note that, if there was no incentive term, piXi, in player 
cost, each unit would act according to self interest only resulting in a subopti- 
mal result for the entire organization; a situation sometime termed as tragedy 
of commons. The designer can prevent this by providing a carefully selected 
incentive scheme [4,5]. 

The risk manager T> objective in mechanism Aii is to maximize sum of 
player utilities, Ui(xi). Considering that under the assumptions of Section 2 
the risk manager does not know these utilities makes this goal paradoxical at 
first glance. However, the risk manager can actually achieve it in a carefully 
designed mechanism where it deduces the needed parameters for the solution 
from the observed actions of players. 

Formally, the designer solves the constrained optimization problem 

maxy(i) max; Ui(x) such that piXi < B. (2) 

X X ^— ' ^— ' 

i i 

The optimal solution to this constrained problem by definition satisfies the ef- 
ficiency criterion. The associated Lagrangian function is then 



L(x) =J2Ui(x) + X^B- J2 Pi x^j , 



where A > is a scalar Lagrange multiplier [8] . Under the concavity assumptions 
on Ui, this leads to 



dL n 1 ^ dUAx) , w . „ 



and the associated budget constraint 3 is 

dL 



o^J2p^ = b - ( 4 ) 



Meeting both the preference-compatibility and efficiency criteria requires 
alignment of player and designer optimization problems. This alignment can be 
achieved by choosing the Lagrange multiplier A and player incentive factors p 
in such a way that 

^ + Ir!P = A,Vi 6 A (5) 
Pi Pi rrf oxi 

3^1 



and 

'su.ixy : 



^2 Pi 



dxi 



{Pi- Pi ) = B. (6) 



3 An underlying assumption here is that the risk manager (designer) utilizes all of its budget, 
i.e. the constraint is active. 
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Any solution to the set of N + 1 nonlinear equations (5)- (6) is by definition 
a Nash equilibrium as it lies at the intersection of the player best responses. 
These results are summarized in the following proposition. 

Proposition 1. Any solution of the mechanism Mi described above obtained 
from (5)-(6) is both player preference- compatible (based on the strategic game 
Q, given in Definition 1) and efficient, i.e. maximizes '^2 i Ui(x). 

If the designer V wants to compute the incentive factors p directly by solving 
(5)-(6), it needs to ask each individual player i for its utility, more specifically 
dUi (x) I dxj V? S A. However, the players have now a motivation to misrepresent 
their utilities to the designer in order to gain a larger share of resources or 
incentive factors. To see this, consider a cheating player i reporting Ui to the 
designer instead of their true values. If the designer believes the player and 
solves (5)-(6) using these, then the resulting incentive factor p will naturally be 
different from what it should have been, p. A selfish or malicious player can thus 
manipulate such a scheme, which by definition is not strategy-proof. Note that, 
the risk manager has access to costs (3iXi and actions Xi of individual players, 
which can be, for example, part of an organizational reporting process. 

One way to address the issue of strategy-proofness is to devise additional 
schemes to detect potential player misbehavior (for which players already have 
a motivation). This, however, brings an additional layer of overhead to the 
overall system both in terms of communication and computing requirements. 

Alternatively, one can design an iterative mechanism that is based on 
observation of player actions x instead of asking for their word (utilities). This 
approach is the basis of the iterative schemes that will be presented in Section 4. 

3.2 Mechanism with global objective 

The second mechanism, M2 differs from the social welfare maximizing one 
Mi discussed in the previous subsection. In this case, the designer has an 
organization-wide or "global" objective represented by the strictly concave and 
nondecreasing function F(x) which does not directly depend on player utilities. 
This organization-wide objective could be, for example, deployment and oper- 
ation of an organization-wide risk management solution that naturally requires 
cooperation from all units and an alignment of efforts. 

In mechanism M2 1 the risk manager formally solves the constrained opti- 
mization problem 



where A > is a scalar Lagrange multiplier. Note that the constraint is al- 
ways active in this case due to the definition of F{x). Under the concavity 




(7) 



The associated Lagrangian function is then 
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assumptions on F(x), this leads to 




1 8F(x) 
Pi dxi 



= A, Vi e .4, 



(8) 



and the associated budget constraint is 



9A 



=> ~^piXi = B. 



(9) 



Combining this with the player optimization problems to ensure efficiency 
and preference-compatibility as in the previous subsection leads to 



which are direct counterparts of (5)- (6). As before, any solution constitutes a 
Nash equilibrium as it lies at the intersection of the player best responses. 

Proposition 2. Any solution of the mechanism M. 2 described above obtained 
from (lO)-(ll) is both player preference- compatible (based on the strategic game 
Q, given in Definition 1) and efficient, i.e. maximizes F{x). 

In mechanism ftA 2 , the risk manager has to evaluate the term dF(x) / dxi 
for each unit i, in addition to asking them for their utilities and cost factors. 
This term can be interpreted as the rate of contribution of each unit to the 
organization-wide objective. Since the risk manager sets this objective, it can 
be computed or estimated with reasonable accuracy. However, as before the 
solution of (10)-(11) also depends on individual unit utilities and cost factors. 
Therefore, mechanism M.2 -similar to M.\ - requires deployment of iterative 
methods in order to meet the criterion of strategy-proofness. 

3.3 Interdependent Utilities and Linear Influence Model 

In the presented model and analysis, utilities of individual players (units) may 
depend not only on their own actions but also on those of others, e.g. Ui(x) = 
Ui([xi, . . . , xjv])- In other words, a unit benefits not only from own risk invest- 
ments but also from efforts of other related units. Such utility functions are 
called interdependent or nonseparable in contrast to separable player utilities, 
Ui(xi), that depend only own actions. If the player utilities are separable, then 
the player decisions are almost completely decoupled from each other except 
from external resource constraints (such as the incentives they receive from the 
designer). This simplifies development of decentralized schemes significantly. 

One possible way of modeling interdependencies in player utilities is the lin- 
ear influence model, which captures how actions (investments) of players (units) 



1 dF(x) 
Pi dxi 



= A, Mi g A, 



(10) 



and 




(11) 
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affect others. As a first-order approximation these effects are modeied as linear 
resulting in an influence matrix defined as 



T:=r ,lU J ' (12) 

, otherwise. 

where < Wij < 1 denotes the non-negative effect of unit j ('s investment) on 
unit i. Notice that this effect may well be zero. 

Define now the vector of effective investments x e — [x\, . . . ,x e N ], where the 
effective investment of unit i is 

x i : =^2 W ij x i = (Wx)i, 

3 

and (-)i denotes the i th element of a vector. 

Naturally, it is possible to develop more complex nonlinear models to cap- 
ture interdependencies between units and their actions. However, given the 
limitations on information collection and accuracy, the linear first order ap- 
proximation described provides a good starting point. Therefore, we will use 
linear influence model in the case of interdependent (non-separable) utilities for 
the rest of the paper. 

Note that under the linear influence model, the nonseparable utility, Ui(x), 
of player i is given by 

U^xf) = U t {(Wx)i) . 



4 Iterative Incentive Mechanisms 

Mechanisms M.\ and M.i as defined in the previous section are shown to be 
efficient and preference-compatible (See Propositions 1 and 2) but not strategy- 
proof. This section presents two iterative variants of these mechanisms that 
satisfy all three criterion and can be implemented under information limitations. 



4.1 Iterative mechanism with global objective 



In the iterative mechanism with global objective, IM2, both the risk manager 
and units adopt an iterative scheme to facilitate information exchange that does 
not allow cheating, hence resulting in a strategy-proof mechanism. Specifically, 
the risk manager updates the Lagrangian multiplier A in (8) gradually according 
to 



A(n + 1) = A(n) + n d 



n + 



^p t (n)x 4 (n) - B 



and computes the individual player incentive factors 

1 dF(x(n)) 



Pi{n) 



A(n) dxi 



(13) 



(14) 
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Hero, n= 1, . . . denotes the iteration number or time-step. The units (players) 
in return react to given incentive factors by updating their investment decisions 
in order to minimize their own costs such that 



where < <f> < 1 is a relaxation constant used by the players to prevent excessive 
fluctuations. Alternatively, this behavior can be justified with caution or inertia 
of the organizational units. 

The equilibrium solution(s) of (13)-(15) clearly coincides with that of (10)- 
(11). Hence, the iterative mechanism XM 2 , assuming that it converges, solves 
the same problem as mechanism M.2- Furthermore, it is strategy-proof since 
at each update step, the players make decisions according to their own self 
interests and do not have the opportunity of manipulating the system. To see 
this, assume otherwise and let player i "misrepresent" its actions Xi = x.- t + S 
for some <$€l. Then, the player's instantaneous cost is Ji(xi) > Ji(xi) at each 
step of the iteration. Hence, the players have no incentive to "cheat". These 
results are summarized in the following theorem which extends Proposition 2: 

Theorem 4.1. Any solution of the iterative mechanism with global objective, 
TM.2 described above and in Algorithm 1 is player preference- compatible, effi- 
cient, and strategy-proof. 

Information flow and limitations play a crucial role in implementation of the 
iterative mechanism XM.2- In practice, the risk manager is assumed to observe 
the actions of units which they have to reveal in order to receive incentives. 
Based on this information and the total budget, the risk manager can easily 
implement (13). Then, it only needs to estimate the individual marginal con- 
tributions of units to the overall objective, dF{x(n)) / dxi at a given moment in 
order to decide on actual incentive factors in (14). 

Likewise, given own cost estimates and incentive factor pi, each unit 
(player) only has to determine the marginal benefit from its own actions, dUi (x(n))/ dxi 
in order to implement (15). If the unit has a separable utility, then this is sim- 
ply equivalent to dUi(xi(n))/dxi. In the interdependent utility case, under the 
linear influence model this quantity turns out to be the marginal benefit from 
the effective action, 



as a result of Wu = 1 and the definitions of respective quantities. Algorithm 1 
summarizes the steps of the iterative mechanism with global objective, XM.2- 

Convergence Analysis of IM2 

A basic stability analysis is provided for a continuous-time approximation of the 
iterative mechanism with global objective, TM.2- For tractability, let the player 



Xi(n + 1) = 4>Xi(n) 



+ 




(15) 



dUj(x(n)) = dU i (x e i (n))'Z j W ij x j = dU^xfjn)) 
dxi dx\ x t dxi 
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Algorithm 1: Iterative mechanism IM.2 



Input: Designer: budget B and global objective F(x) 
Input: Players: cost factor and utilities Ui,Vi 
Result: Player investments x and incentive factors p 
Initial investments xq and incentive factors p ; 
repeat 

begin Designer: 

Observe player investments x ; 
Update A according to (13) ; 

Estimate marginal contributions of players to global objective, 
dF(x)/dxi ; 
foreach player i do 

I Compute incentive factor pi from (14) ; 
end 
end 

begin Players: 

foreach player i do 

Estimate marginal utility dUi(x) / dxi ; 
Compute investment Xi from (15) ; 
end 
end 

17 until end of iteration (negotiation); 



utilities be of the form Ui = onXogixi). Further define the global objective 
function of the risk manager as F(x) :— J2i li x i, f° r some -fi > Vz. 

Substituting pi with 7i/A, the continuous-time counterpart of (13)-(15) is 




where t denotes time and k\, ki > are step-size constants. As in the discrete- 
time version, the players adopt here a gradient best response algorithm. Define 
the Lyapunov function 

which is nonnegative except at the solution(s) of (13)-(15), i.e. Vl{x* , A*) = 0. 
Taking the derivative of Vl with respect to time yields 

^..^(z^y.^d.f-Ay. 
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Consider the region where F(x) — J2ili x i > 0- Then, there exists an e > 
such that 

Vl(x,X) <eV L <0, V(x,A) (x*,A*), 

i.e. for any point of the trajectory {x, A) not equal to a solution of (13) and 
(15). Thus, the continuous-time algorithm is exponentially stable [22] on the 
set X := {x G X : F(x) > 0}. This result, which is summarized in the next 
theorem, is a strong indicator of fast convergence [9] of the discrete-time iterative 
pricing mechanism (14)-(17). 

Proposition 3. The continuous-time approximation of the iterative mechanism 
IM.2, given by (16) exponentially converges to a solution of (13)-(15) on the 
setX = {xeX: F(x) > 0}. 

The exponential convergence result above indicates a very fast convergence 
rate. To see this, let x(0) be the initial player investments and x* denote a 
solution of (13)-(15). Then, for the player investments x(t) under continuous- 
time approximation of the iterative mechanism IM2 the following holds: 

\\x(t)-x*\\ <a\\x(0)-x*\\e- fit , 

for t > and some a, (3 > 0. In other words, the investment levels approach 
their equilibrium values exponentially fast. 



4.2 Iterative welfare maximizing mechanism 

The iterative welfare maximizing mechanism IMi extends mechanism Mi. 
Same as the previous mechanism, the risk manager updates the Lagrangian 
multiplier A according to (13) and the unit updates are given by (15). 

However, the computation of individual player incentive factors is more in- 
volved due to the dependence of the objective (welfare maximization) on indi- 
vidual player utilities 

j 

which follows from (5). At first glance, it seems that the designer has to ask 
players again for their marginal utility which defeats the purpose of the iterative 
approach, namely ensuring strategy-proofness. Fortunately, the designer can 
circumvent this issue by utilizing side information, in this case player cost factors 
/3, within the linear influence model. 

It directly follows from the linear influence model that 

= di^dxi = du iWi = mij_ Wi 

dxi dxj dxi dx? 31 dxj 11 

The actions of any player i chosen according to a (relaxed) best response (15), 
and observed by the designer yields the information 

„ — HI Pi 

ox,; 
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to the designer. Hence, the substitution 



E 



dUj(xjn)) 



^(A - Pi )w jU v»,j 



dxi 



j 



j 



can be used in (17) to obtain 



\p = W T ((3-p). 



Thus, the designer implements 



P = {w T + \i)- 1 w T p 



(18) 



together with (13) to determine player incentive factors. Here, (-) T denotes the 
transpose operator and / the identity matrix. These results are summarized in 
the following theorem which extends Proposition 1: 

Theorem 4.2. Any solution of the iterative mechanism with global objective, 
IMi described above and in Algorithm 2 is player preference- compatible, effi- 
cient, and strategy-proof. 

The information structure in mechanism XAii is similar to that of XM.2 with 
the following differences. In XM.\, the risk manager has to estimate the linear 
dependencies in the system represented by the matrix W and observe cost factors 
f3 of units in addition to their investments. These information requirements 
are due to the complex nature of the welfare maximization objective, which 
necessitates additional (indirect) communication between the risk manager and 
units in practice. Algorithm 2 summarizes the steps of the welfare maximizing 
mechanism XM. \ . 

Convergence Analysis of IM\ 

A basic stability analysis is provided for a continuous-time approximation of 
the iterative mechanism XM.\ similar to the one of the XM.2 in the previous 
subsection. For tractability, let the player utilities be of the form Ui = cti log(xi) 
as before. 

Substituting pi with 



which follows from (18) and W = I, the continuous-time counterpart of (13) 
and (15) is 



Pi = 



1 + A' 




(19) 



16 



where t denotes time and k\ 1 «j > are step-size constants. As in the discrete- 
time version, the players adopt here a gradient best response algorithm. Define 
the Lyapunov function 

which is nonnegative except at the solution(s) of (13) and (15), i.e. Vl(x* , A*) = 
0. 

Taking the derivative of Vl with respect to time yields 

P T ( X x) - 2 E '^ fZifai-B \ 2 _ ^ + Ji__gV 

Vl[x > X) - 2 (i+xr{ i+A ) z^ x 2{ x . + 1+x &) ■ 

Consider the region where J2i fii x i > 0- Then, there exists an e > such that 
V L (x,X)<eV L <0, V(x,A) ± (x*,X*), 

i.e. for any point of the trajectory (x, A) not equal to a solution of (13) and 
(15). Thus, the continuous-time algorithm is exponentially stable [22] on the 
set X := {x 6 X : Ylifii x i > 0}- This result, which is summarized in the 
next theorem, is a strong indicator of fast convergence [9] of the discrete-time 
iterative pricing mechanism XAd\. 

Proposition 4. The continuous-time approximation of the iterative mechanism 
IMi, given by (19) exponentially converges to a solution on the set X := {x e 
•V: V, . ()[. 

5 Use Case Scenario and Numerical Analysis 

In order to illustrate the incentive mechanism framework for risk management, 
a use case scenario is described next. Since most organizations do not openly 
publish their actual risk management structure or numbers, this scenario is 
naturally hypothetical and the numbers in the subsequent numerical analysis 
do not necessarily coincide with real world counterparts. 

5.1 Example Use Case Scenario 

In this subsection, a possible use cases scenario is described for a large-scale 
enterprise with multiple autonomous business units, denoted by set A, who col- 
laborate and share IT infrastructure in order to provide various services and 
products. In addition to the business units, the enterprise headquarters has a 
special security risk management division, which will be simply referred to as 
"risk manager" here. The task of the risk manager, V, is successful deploy- 
ment and operation of security and IT risk management projects that entail 
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enterprise- wide computer-assisted information collection (observation), risk as- 
sessment (decision making), and mitigation (control). 

The results and algorithms described in this paper can be utilized to de- 
velop a manual risk management strategy as well as a technical system to han- 
dle a large number of business units and multiple concurrent risk management 
projects. For simplicity and as a special case of the latter, this scenario focuses 
on the former. 

Let the risk manager start a project to improve robustness of the IT systems 
involved in a product against security threats. The success of the project natu- 
rally depends on collaboration of the 6 specific business units involved at various 
stages of the product in question. However, not each unit plays an equal role in 
creation of the product, and hence, their risk exposure is different. Therefore, 
those units with a more significant role have to make a larger investment to the 
project and their IT systems. 

During the project, the divisions have to provide accurate information on 
their business and networked systems. At the operational phase, each division 
allocates manpower and resources for the proper operation of the system. Hence, 
participation in this risk management project is associated with a certain cost 
to each unit in terms of investments and manpower. Although each unit sees 
a certain amount of value in the new risk management system, if they are left 
alone to themselves, their contributions may not be sufficient for the successful 
realization of the risk management system. Thus, the risk manager uses parts of 
its budget for subsidizing individual unit investments, if necessary in the form 
of manpower and expertise. 

Let x = [xi, X2, • • • , xq] denote the investments (project contributions) of 
business units. Their contribution to the project is evaluated using the multi- 
variable objective function F(x), which describes the goal of the entire project. 
The individual marginal contribution of a business unit i (one of six) to the 
project goal at a given (project) state is given by the derivative, dF(x)/dxi. It 
is important to note that risk manager may not know the exact form of F(x) 
before hand, and has to estimate dF(x)/dxi for each business unit i at a given 
state. 

The goal of the risk manager is to ensure the success of the project, which 
may be captured by making the objective function achieve a certain minimum 
threshold value, i.e. F(x) > Vthreshold- The subsidies given to the units (mone- 
tarily or in the form of assistance) are determined in proportion to their current 
investments. For example, the business unit i receives piX{. These subsidies 
have to be of course within the allocated budget, i.e. ^2 i=1 PiXi < B. Note 
that, the budget in question is periodic, e.g. B units per month or year. 

The interaction between the risk manager and individual units is designed 
according to Algorithm 1 based on the XM. 2 - The actual time-scale of the 
iteration depends on the specific requirements of the enterprise. For example, 
the risk managers and representatives from the units may come together in 
weekly or bi-weekly intervals to evaluate the progress, which gives some time to 
the units and manager for updating own evaluations on marginal benefits and 
contributions, respectively. We next present a numerical example to further 
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illustrate the scenario described. 
5.2 Numerical Analysis 

Based on the use case scenario, an example is numerically analyzed with a risk 
manager and 6 units, who implement the iterative mechanism XM2 using Algo- 
rithm 1. The budget is B = 3, the global objective function of the risk manager 
is F(x) = Yf i=1 7iXi, where 7 = [0.8, 0.4, 0.5, 0.2, 0.3, 0.1], the utilities of 
units are in the form of Ui(xi) = at log(a;j), where a = [0.9, 0.7, 0.6, 0.8, 0.2, 0.4], 
and the unit cost factor is /3 = 3 for all six units. Each unit starts the itera- 
tion with an initial investment of Xi = 0.5 Vz and receives an initial incentive 
factor of pi = 0.3 Vi The measurement units of the budget B and invest- 
ments x are assumed to be on the order of millions of dollars. The step-size 
constants are chosen as — 0.05 and <f) = 0.3. The success of the project is 
decided by whether the objective function passes minimum threshold of 2.5, i.e. 
F(x*) > 2.5. 

The evolution of unit investment levels x(n) is shown in Figure 3 and the as- 
sociated incentive factors p{n) in Figure 4. The first unit, which contributes the 
most to the objective receives a higher amount of aid from the risk manager than 
others. The algorithm converges fast, in 10 — 15 steps, for the given parameters, 
as indicated by the exponential convergence of its continuous-time counterpart. 
For a time interval of 1 — 2 weeks per iteration, this corresponds to 3 — 6 months 
in practice. Although this convergence time may seem as a disadvantage at 
the first glance, in a practical project with highly varying parameters, such an 
online algorithm may even be beneficial in terms of adaptability over time. 

In contrast, the investment results of units without any incentive mechanism 
in place, y(n), is shown in Figure 5. A comparison of the objective function F(x) 
with and without an incentive mechanism is depicted in Figure 6. Naturally, 
this improvement comes at an expense of the budget B spent entirely by the 
risk manager. 

6 Literature Review 

Building upon its successful applications to economics and engineering (e.g. net- 
works), game theory has been recently utilized to model and analyze security 
problems [2]. Similar formalization efforts have been ongoing in the risk man- 
agement area with the goal of developing analytical approaches to (security) 
risk analysis, management, and associated decision making [3,14,17,30]. Un- 
surprisingly, game theory enjoys an increased interest in the risk management 
community [6,16,21,24], as it provides a valuable and relevant mathematical 
framework [2,7,13]. Recently, a game theoretic approach has been developed 
for security and risk-related decision making and investments in [27,28]. 

Mechanism design [20, 23, 26] is a field of game theory, where a designer 
imposes rules on the underlying strategic (noncooperative) game in order to 
achieve certain desirable objectives such as social welfare maximization or a 
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Algorithm 2: Iterative mechanism XM.\ 



Input: Designer: budget B and objective J2i Ui 
Input: Players: cost factor /3j and utilities Ui,\/i 
Result: Player investments x and incentive factors p 

1 Initial investments xo and incentive factors po ; 

2 repeat 

3 begin Designer: 

4 Observe player actions x and cost factors /3 ; 

5 Estimate the linear influence matrix W ; 

6 Update A according to (13) ; 

7 Compute incentive factors p from (18) ; 

8 end 

9 begin Players: 

10 foreach player i do 

n Estimate marginal utility dUi{x)/dxi ; 

12 Compute investment Xi from (15) ; 

13 end 

14 end 



15 until end of iteration (negotiation)] 



Player Investments x(n) with Incentive Mechanism 



x 1.5 




Figure 3: The evolution of unit investment levels x(n) under Algorithm 1. 
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Figure 4: The evolution of incentive factors p(n) under Algorithm 1. 



Player Investments y(n) without Incentives 

1 1 , , , , 1 1 




Time Step, n 

Figure 5: The evolution of unit investment levels y(n) without any incentive 
mechanism implemented. 
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Objective Function F(x(n)) 
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Figure 6: A comparison of the objective function F(x(n)) with and without 
an incentive mechanism. Under the incentive mechanism it passes the success 
threshold of 2.5. 

system-wide goal. Hence, mechanism design can be viewed as a reverse engi- 
neering of games. It is especially useful in developing analytical frameworks for 
incentive mechanisms. Recently, there has been widespread interest in using 
mechanism design for modeling, analyzing and solving problems in network re- 
source allocation problems that are decentralized in nature [18,20,23,25,37,38]. 
It has also been applied to resource allocation in the context of engineering op- 
timization [15]. A basic game design approach to security investments in the 
risk management context has been discussed in [2]. 

The presented incentive mechanism framework makes use of both mechanism 
design [11,20,23,26] and game theory [7,13], which provide solid analytical and 
conceptual foundations. In contrast to many existing studies [10, 12, 19] focus- 
ing on answering the question of "which mechanisms are possible to design" , 
this work adopts a constructive approach to develop a practical methodology 
and applies it to security risk management. Despite sharing the game-theoretic 
approach of earlier work [27,28], it distinguishes from these through the mech- 
anism design framework developed on top of the game. A similar perspective 
has been briefly discussed in [2, Chap. 6], which however has not taken into 
account incentive-compatibility aspects. 

The article [15], which shares a similar goal as this one, discusses the prob- 
lem of designing an allocation scheme that leads to truthful reporting by the 
engineers and allocation of the scarce resources within the VCG framework. 
This work distinguishes from [15] in multiple ways in addition to its focus on 
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risk management. First, the mechanisms discussed here are iterative, enable op- 
eration even under limited information, and do not require any direct revelation 
of preferences by the users or risk manager. Similar iterative schemes have been 
analyzed in depth in the networking literature, e.g. see [1,36,38]. Second, the 
sufficient conditions for convergence and operation of the iterative mechanisms 
here are not as restrictive as in [15]. Finally, the properties of iterative inter- 
action algorithms are analyzed rigorously from a dynamical system perspective 
and their rapid convergence is proven. 

7 Discussion and Conclusion 

The analytical incentive mechanism design framework presented can not only 
be used to derive guidelines for handling incentives in risk management but 
also to develop computer-assisted schemes. The abstract nature of the frame- 
work is an advantage in terms of widespread applicability to diverse situations 
and organization types. In order to satisfy all three objectives of efficiency, 
preference-compatibility and strategy-proofness, iterative incentive mechanisms 
and related algorithms are developed which also allow implementation under 
information limitations. These mechanisms are very straightforward to analyze 
and implement numerically, which is especially useful since any practical imple- 
mentation of such incentive mechanism will most probably involve some kind of 
computer-assistance. The risk manager has then the option to evaluate various 
scenarios through simulations before actual deployment. This is illustrated with 
a hypothetical deployment scenario and a numerical example. 

The presented inventive mechanism framework can be extended in multiple 
directions. One immediate extension is multiple decision variables. For example, 
units may need to distinguish between monetary investments and local resources 
such as manpower. Similarly, the risk manager may utilize multiple separate 
incentive factors. A related but more challenging extension is multi-criteria 
decision making, where preferences are not simply expressed through scalar 
valued functions such as U and F. This is an open research area also in decision 
and optimization theories. 

The limitations of the utility-based approach adopted here is also worth not- 
ing. The expression of preferences through specific (continuous, differentiable) 
functions is obviously a simplification to facilitate devising analytically tractable 
models. However, as it can be seen in Sections 4 and 5, the resulting algorithms 
do not necessarily require the players estimate their whole utility beforehand. 
A step-by-step iterative estimation process is fully sufficient to establish and 
communicate these preferences. 

An underlying assumption of the model until now has been the fixed nature of 
player preferences or utility functions. Under this assumption, the risk manager 
can influence unit decisions only by introducing additive incentive factors to 
their cost structure as discussed. In reality however, the unit preferences are 
open to changes through psychological factors. The arts of persuasion and 
politics may "shift" the utility curves in the model. Quantification of such 
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factors is obviously a significant yet open research challenge. 

An approach closely related to the strategic (noncooperative) game frame- 
work discussed in this paper, is based on coalitional (cooperative) games [13,35]. 
How to motivate team building and cooperation in security and risk management 
has been recently discussed in [34] as well as in [2, Chap. 6]. This alternative 
approach provides a complementary and potentially very interesting research 
direction. 

Some of the other open research directions follow directly from relaxing the 
assumptions in Section 2. Improving the robustness of the incentive mechanisms 
against malicious units who do not follow the rules or have utilities orthogonal 
to other users (sometimes referred to as adversarial mechanism design) is an 
emerging and relevant research area. Detection of such misbehavior is also of 
both practical and theoretical interest. In parallel to users, the relaxation of the 
assumption on risk manager's honesty leads to similarly interesting questions 
such as how can a unit detect and respond to misbehavior (e.g. unfairness) of 
the risk manager. 



Appendix 

Existence and Uniqueness of Nash Equilibrium 

This appendix revisits the analysis in [1,33] on existence and uniqueness of Nash 
equilibrium. 

In the strategic game Q given in Definition 1, the strategy (decision) space 
of the players is assumed to be convex, compact, and has a nonempty interior. 
Furthermore, the cost functions of the players, J i: i G A, is strictly convex in 
Xi and at least twice continuously differentiable due to its definition as well as 
those of utility functions Ui, i <E A. Therefore, the game Q admits (at least) a 
Nash equilibrium from Theorem 4.4 in [7, p. 176]. 

Next, additional conditions are imposed such that the game Q admits a 
unique NE solution. Toward this end, define the pseudo-gradient operator 

VJ:= [dJ l {x)/dx l ---dJ N {x)/dx N ] T := g(x). (20) 

Subsequently, let the N x N matrix G(x) be the Jacobian of g(x) with respect 
to x: 

( b\ ai2 • • • aiAr N 



G(x) :- 



(21) 



\ajvi CLN2 ••• OJV 
d 2 M*) ; ., . 



where hi and are defined as &j := d ^ and aij := dx .g x , respectively. 

Assumption 1. The symmetric matrix G(x) + G(x) T , where G(x) is defined 
in (21), is positive definite, i.e. G(x) + G(x) T > for all x € X. 
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Assumption 2. The strategy space X of the game Q can be described as 

X := {x e R N : hj(x) < 0, j = 1, 2, . . .r}, (22) 

w/iere hj : R N — > M, j = 1, 2, . . . r, hj(x) is convex in its arguments for all j, and 
the set X is bounded and has a nonempty interior. In addition, the derivative of 
at least one of the constraints with respect to x it {dhj(x)/dxi, j = 1, 2, . . . r}, 
is nonzero for i = 1, 2, . . . N, \/x € X. 

Now, revisiting the analysis in [1,33], it is shown that the game Q admits a 
unique Nash equilibrium under Assumptions 1 and 2. 

In view of Assumption 2, the Lagrangian function for player i in this game 
is given by 

r 

Li(x,fj.) = Ji(x) +^2^i,jh {x), (23) 

3=1 

where fii.j > 0, j = 1, 2, . . . r are the Lagrange multipliers of player i [8, p. 
278]. We now provide a proposition for the game Q with conditions similar to 
the well known Karush-Kuhn- Tucker necessary conditions (Proposition 3.3.1, p. 
310, [8]). 

Proposition 5. Let x* be a NE point of the game Q and Assumptions 1-2 hold. 
There exists then a unique set of Lagrange multipliers, {4>ij : j = 1, 2, . . . r, i = 
1,2,... N}, such that 

dL(x*,4>) _ dJi(x*) dhj(x*) _^ 

dxi dxi 4^ IJ dxi 

i=l, 2, . . . N, 

<t>i,j>0, Vi,j, and <j> iyj = 0, Vj^A 4 (x*),Vi, 

where Ai(x*) is the set of active constraints in i th player's minimization problem 
at NE point x* . 

Proof. The proof essentially follows lines similar to the ones of the Proposition 
3.3.1 of [8], where the penalty approach is used to approximate the original 
constrained problem by an unconstrained problem that involves a violation of 
the constraints. The main difference here is the repetition of this process for 
each individual Xi at the NE point x*. □ 

Define now a more compact notation the vector of Lagrangian functions as 
L := [Li, . . . ,Ln], and the N x N diagonal matrix of Lagrange multipliers for 
the j th constraint as $j = diag[</»ij, 02,j, • • • 0N,j]- 

By Proposition 5 and Assumption 2, a NE point satisfies 

r 

VL{x( 1 \& 1) )=g(x( 1) ) + J2®j 1) V h 3( xil) )=°> ( 24 ) 

3=1 
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where > is unique for each j. Assume there are two different NE points 
andxW. Then, one can also write the counterpart of (24) for a^ ) . Following 
an argument similar to the one in the proof of Theorem 2 in [33] , one can show 
that this leads to a contradiction. We present a brief outline of a simplified 
version of that proof for the sake of completeness. 

Multiplying (24) and its counterpart for from left by (x^ — x^) T , and 
then adding them together, we obtain 



= {x 



(o) 



) T VL(x^\^) 



(25) 



+ (VL(x«, $«)) (x<°) -x«) 
+( I ( 1 )-#) T VI(^,$(°)) 

= (x<°) - x^ f (gix^) - g(x^)) 
+ (g(x (1) ) -g(x^)) T (x^ -iW) 

+ {x (D _ X (0))T ^J^V/^ 1 )) 

-$j 0) V/>j(i(°))]. 

Define the strategy vector x(0) as a convex combination of the two equilib- 
rium points x^ , x^ : 

x(#)=0x« + (I-#)x (o) , 
where < 9 < 1. Take the derivative of g{x{9)) with respect to 6>, 



d -^=G(x m d -^=G(x(e))(x^-x^, 



where G(x) is defined in (2f). Integrating (26) over 9 yields 



g(x^)-g(x^) 



(Oh 



G(x(9))d9 



(oh 



(26) 



(27) 



Multiplying (27) from left by (x^ — x^) T , the transpose of (27) from right by 
(x^) — x^ )), and adding these two terms yields 



(x«-x(°)) T 



f 1 G(x(9)) 
Jo 



+ G T (x{9))d9 



(xW-xW). 



(28) 



Since G(x{9)) + G T (x{9)) is positive definite by Assumption 1 and the sum of 
two positive definite matrices is positive definite, the matrix G :— G{x(9)) + 
G T (x(9))d9 is positive definite. 
Similarly, we have 



d6 



d9 



(29) 



where H{x) is the Jacobian of V/i(x) and positive definite due to convexity of 
h(x) by definition. The third term in (25) 

(a; (0) _ X^) T J2U^f ) ^ h ^ X ^ - ^VhjixW)}, 
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is less than 

due to convexity of h(x) . Since for each constraint j, hj (x) < Vx, $^ hj (x^ ) = 
0, i = 0, 1, and $ 3 is positive definite, where the latter two follow from Karush- 
Kuhn- Tucker conditions, this term is also non-positive. 

The sum of the first two terms in (25) are the negative of (28), which is 
strictly positive for all x^ ^ x^ . Hence, (25) is strictly negative which leads 
to a contradiction unless x^ — x^°\ Thus, there exists a unique NE point in 
the game Q. 
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